Posts

Medical Records Breach: Part 2

Most job descriptions list demonstrated written communication skills under the requirements section.

Students in cyber degree programs with little or no relevant work experience often only need examples to help guide their research for assignments.

Paying it forward by publishing this research paper meets both of the objectives above.

Do you publish? Because our voices are needed in this space.

Breach Scenario Case Study:

A Fortune 500 health care company received complaints from users about their systems acting cray cray after opening an email attachment from HR.

Cray cray was not a typo 🙂

An initial incident analysis uncovered some inconsistencies in the Snort IDS logs, so a digital forensics firm was hired to analyze the network, DB server, and impacted workstations for evidence.

The database server is a Microsoft Windows 2003 Server running Microsoft SQL Server 2008. They also use Linux and Windows XP in their environment.

Here is the link to Part 1, which covered evidence identification, acquisition, preservation, and workstation forensic analysis.

This is Part 2 of this 2 part series describing how I would approach the a breach investigation per the given scenario. This post will cover database forensics, DB server evidence, witness preparation, and ethical considerations.

Processing the DB Server:

The team will take a similar approach to the one that was used to image the database administrator’s drive to securely image the server’s drive.

A Forensic Analysis Log will be used to document each step to ensure the process complies with the requirements set forth for admissibility in the Federal Rules of Evidence.

Per Part 1 of this series, I used tables instead of a numbered list or bullet points because professors like to see tables and it makes it easier to think through all the necessary steps with a visual.

Bosses also like tables too, so this is a good habit to develop.

Some of the columns in the tables are not visible on mobile devices, so I recommend viewing on a regular screen.

Potential Database Server Evidence

The team will attempt to capture a raw image, which is a sector-by-sector copy of a disk image (Garfinkel, et al., n.d.). Raw images allow the disk to maintain the exact structure and content, so it helps to preserve the integrity of the evidence.

Next, investigators will evaluate active system memory (RAM), pagefiles, and BIOS, listed in order of volatility (volatile à non-volatile) (Case, et al., 2014). In addition, the contents of c:\windows\system32 folders will be analyzed based on what is detected within memory and the registry.

Further, the team will enumerate any suspicious listening ports or evidence of data exfiltration. Antivirus protection status and associated logs will be evaluated as well.

Another item of interest is the $LogFile because system logs provide digital footprints and timestamps of exactly what occurred on a device at any given time, actions taken, and can usually tie actions back to specific users. It also contains file system and metadata information that is pertinent to investigations

Other Potential DB Server Evidence

The team will evaluate host and network firewall logs if available for suspicious network traffic from the suspected host. As mentioned in the workstation evidence section, there will also be an analysis of IDS/IPS for suspicious events from the suspected host.

While evaluating the /var/log/snort and /var/log/messages logfiles to look for evidence of tampering or changes to the configuration of the IDS/IPS to the user’s workstation, the analysis will include the server too.

Other forensics sources would include Windows system, application, and security logs for anomalies. The team would evaluate database logs/activity for evidence of data exfiltration. There would also be an analysis of database security for existence of unknown or new accounts created.

Afterwards, the team would assess the database for evidence of unauthorized dropped tables, altered tables, or added tables. Finally, the team will review browser history and deleted files to rule out malicious user behavior.

Expert Witness Preparation

We learned early in our graduate program that evidence must be admissible, authentic, reliable, and complete in order to be considered legally valid under the Federal Rules of Evidence.

Additionally, proper evidence handling is critical to maintaining the integrity of the forensics, and preparation plays an integral role in ensuring it meets the Federal Rules of Evidence (U.S. Department of Justice, 2009). Maintaining a repeatable documentation process ensures that these standards are met.

In order to ensure admissibility, the team will perform the following:

Review the workplan.

Study detailed notes of the acquisition and storage process used, noting any deviations from the work plan.

Review chain of custody documentation and accurately document the date, time, and source of the sample.

Have another team member quiz through work plan to determine any inconsistencies with delivery or enumeration.

Court Testimony Preparation:

Depending on the severity of the breach, this could end up in federal court. As a cautionary measure, the team will ensure that expert witnesses can satisfy the requirements of the Daubert challenge.

That is, candidates will be vetted for the pertinent education and expertise standards as mandated by evidentiary rules for certain cases (Zatyko and Bay, 2011). Background checks will be conducted out of precaution so that opposing counsel cannot challenge witness credibility.

The team would begin court testimony preparation by reviewing videos and other multi-media sources of past digital forensics court testimonies that were successful. This will ensure that members are aware of how court proceedings are usually carried out.

Next, the team would participate in mock cross-examinations using attorneys from outside firms. This will ensure that there is no bias in the process and that witnesses are not familiar with the parties performing cross examination. This activity will also serve to facilitate a more accurate real world scenario for all involved.

Next, the team will collaborate on investigating and identifying any potential gaps in workplan or evidence gathering and determine defense for discrepancies.

This will include a review of:

Federal Review of Evidence

Procedures for evidence handling

Forensic Analysis Logs

Exhibits that will be entered into the court record

There will also be discussions about persuasive delivery of factual information and making emotional connections with the jury. Special emphasis will be placed on communicating with non-technical audiences.

The best way to present technical terms to nontechnical people is by relating it to terms that they are familiar with in their daily lives. People are more likely to understand technical terms with explanations related to activities or items they interact with on a regular basis, so this approach should be used whenever feasible.

Finally, the team will validate that any breaks in chain of custody can be adequately explained such that evidence is not deemed inadmissible.

Ethical Considerations

As with other professions that require high degrees of public trust, investigators will be required to adhere to internal code of ethics as well as the code as published by (ISC)2 for security professionals (n.d.).

Those ethics include:

Protecting society

Acting honorably

Providing competent services

Advancing the profession

Team members will also be advised of their responsibilities to the client. Those obligations include keeping all aspects of the work confidential and not performing any actions that could negatively impact the outcome of the forensics investigation.

The scope of responsibility to the client is not just evidence. Care must be taken to avoid any impropriety, including disclosing intellectual property or using it to profit or harm the business.

This covers interactions with law enforcement, members of the media, family members, and even social media communications (Harrington, 2014). More importantly, forensics professionals must demonstrate good moral character.

The team is also required to follow all ethical practices involving acquisition, storage, and presentation of forensic data to avoid any aspect of evidence being considered inadmissible in a court of law. Finally, ethics must include staying within the scope of the investigation.